As others have mentioned, this will do nothing but make people annoyed
and switch to the hash_file() version of exactly the same thing or put
up another hurdle to updgrading PHP.
The password hashing API now provides an obvious go-to for password hashing.
For other hashing usages there are, I think, basically two scenarios
developers find themselves in:
1) I'm using an API or some other external service and that requires the
use of md5 / sha1 - I don't have a choice
2) What do I use instead? Internet searches return "sha1 / md5 is fine
for this purpose" or recommend algorithms that aren't natively supported
in PHP.
The (hash library) documentation does nothing towards helping developers
decide what algorithms (or even which hash library functions) they
should use for what purposes (and there are a lot of acronyms that many
developers are likely to have never encountered that are never explained
- HMAC, PBKDF2, HKDF).
Yes, of course developers can use third party sources to supplement the
information in the manual, but who has time to go seartching for that
(esp. when most of the first page on Google probably tells you md5/sha1
is fine anyway)?
If you want to change the way developers think about hashing when
writing PHP, I would start with the documentation rather than
deprecating functions which are essentially aliases and are highly
likely used all over the place in cases where they do exactly what
people want.
AllenJB
On 10/02/2020 21:49, Tom Van Looy via internals wrote:
Hi
While in some environments the use of MD5 and SHA1 are still acceptable for
some use cases like file integrity verification etc. the use of these
algorithms should be discouraged and not be your choice when developing new
applications.
I suggest to deprecated the functions md5_file() and sha1_file(). This will
make people think about upgrading to a better alternative. If you still
need this functionality you can always switch to the hash_file() function.
Carrying around these two dedicated functions seems a bit too much for a
modern PHP. What do you think?
My feeling was that this is a no brainer. Should I open an RFC for this?
Kind regards,
Tom Van Looy
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
